diff options
Diffstat (limited to 'etc/proxy-server.conf-sample')
-rw-r--r-- | etc/proxy-server.conf-sample | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample index 5b6313479..cade60751 100644 --- a/etc/proxy-server.conf-sample +++ b/etc/proxy-server.conf-sample @@ -776,9 +776,18 @@ use = egg:swift#decrypter [filter:keymaster] use = egg:swift#keymaster -# Sets the root key from which encryption keys are derived. Change before -# first use. After that, changing the key may result in data loss. -encryption_root_secret = change_before_use +# Sets the root secret from which encryption keys are derived. This must be set +# before first use to a value that is a base64 encoding of at least 32 bytes. +# The security of all encrypted data critically depends on this key, therefore +# it should be set to a high-entropy value. For example, a suitable value may +# be obtained by base-64 encoding a 32 byte (or longer) value generated by a +# cryptographically secure random number generator. Changing the root secret is +# likely to result in data loss. +# TODO - STOP SETTING THIS DEFAULT! This is only here while work +# continues on the feature/crypto branch. Later, this will be added +# to the devstack proxy-config so that gate tests can pass. +# base64 encoding of "dontEverUseThisIn_PRODUCTION_xxxxxxxxxxxxxxx" +encryption_root_secret = ZG9udEV2ZXJVc2VUaGlzSW5fUFJPRFVDVElPTl94eHh4eHh4eHh4eHh4eHg= [filter:encrypter] use = egg:swift#encrypter |